On 10.08.2017 23:12, g...@gregj.me wrote: > Ok I think this is onto something. I changed > > <LimitExcept MERGE> to <LimitExcept GET> and the commit worked. When I > removed the LIMITEXCEPT completely it didn't even request my password (and > failed). > > I'll have our tester test it with that tonight if possible. > > Thank You! > > Question: What *should* be specified?
If you want all access to be authenticated, you do not need a <Limit> or <LimitExcept> clause; just the "Require valid-user". You'd use Limit(Except) in order to impose read-only and read-write distinction in the request level, before mod_authz_svn kicks in. Here's an example, the config I use at $DAYJOB for httpd 2.4.x: <RequireAll> Require valid-user <Limit HEAD GET OPTIONS PROPFIND REPORT> <RequireAny> Require ldap-group cn=dev,ou=group,dc=example,dc=com Require ldap-group cn=dev.readonly,ou=group,dc=example,dc=com # More reader groups here </RequireAny> </Limit> <LimitExcept HEAD GET OPTIONS PROPFIND REPORT> <RequireAny> Require ldap-group cn=dev,ou=group,dc=example,dc=com # More writer groups here </RequireAny> </LimitExcept> </RequireAll> I have LDAP authentication set up, and group assignments in LDAP to distinguish between users with only read access and users with read/write access. Notice how I use Limit and LimitExcept so that the list of request methods is the same in both clauses, makes it easy to check the config by eye and I only have to remember what the "read access" methods are. :) -- Brane